- Mouse is a weird Android Trojan that combines NFC relay, overlapping attacks and automated money transfers
- It goes to banking applications and cryptography wallets, stealing pins and recovery phrases
- Extending through fake Tiktok applications, it is directed mainly to users in Chechia and Slovakia
Security researchers have discovered a rare Android malware strain with capacities that were “practically unknown”, so far.
Earlier this week, Amense Fabric published an in -depth report on Mouse, a remote access Trojan (Rat) with NFC retransmission capabilities.
A NFC retransmission attack is when criminals use two devices to deceive a payment terminal to think there is a real card or telephone, even though it is elsewhere. A device (one infected) reads the victim’s card data and instantly sends it to another device that makes the payment in your name.
Raton malware
“The instances in which a Trojan evolves from a basic NFC retransmission tool to a sophisticated rat with automated transfer system (ATS) are virtually unknown,” said Fabric de Threats. “That is why the discovery of the new mouse of MTI analysts is particularly notable. Mouse fuses traditional overlap attacks with automatic money transfers and NFC retransmission functionality, which makes it a unique and powerful threat.”
Mouse met for the first time in early July 2025, with the latest version appearing on August 29, which means that it is active. It serves mainly as a Android Bank Trojan, taking control of devices and accounts. It also goes to cryptocurrency wallets such as Metamask, Trust Wallet, Blockchain.com or Phantom, and can steal pins and recovery phrases.
The malware also uses overlays to deceive users and lock devices, and make the transfer of automated money using the Banking George česko application. Since George česko is a mobile bank application in Checia, the researchers concluded that the attackers are pointing, first, individuals in Checia and Slovakia.
Malware is distributed through Google Play Falies Store pages. They were configured to show an adult version of the Tiktok application that housed a dropper of malware.
Once installed, the dropper requests certain permits from the victim, including one that allows him to download applications from third -party sources. If it is granted, a payload of the second stage will implement and request additional permits, including the dreaded accessibility services.
Through The hacker news
